diff --git a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
index 1f9cc42dc..dea314515 100644
--- a/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/controllers/OPNsense/Freeradius/forms/eap.xml
@@ -58,4 +58,10 @@
dropdown
Set minimum TLS version. Please be aware that every version below 1.2 is considered as insecure.
+
+ eap.tls_max_version
+
+ dropdown
+ Set maximum TLS version. Use 1.2 to avoid TLS 1.3 for legacy clients.
+
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
index 7698b14be..f135125c2 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.php
@@ -3,6 +3,7 @@
namespace OPNsense\Freeradius;
use OPNsense\Base\BaseModel;
+use OPNsense\Base\Messages\Message;
/*
Copyright (C) 2017 Michael Muenz
@@ -32,4 +33,23 @@ use OPNsense\Base\BaseModel;
class Eap extends BaseModel
{
+ public function performValidation($validateFullModel = false)
+ {
+ $messages = parent::performValidation($validateFullModel);
+
+ if (
+ $validateFullModel ||
+ $this->tls_min_version->isFieldChanged() ||
+ $this->tls_max_version->isFieldChanged()
+ ) {
+ if ($this->tls_min_version->asFloat() > $this->tls_max_version->asFloat()) {
+ $messages->appendMessage(new Message(
+ gettext('TLS minimum version must be less than or equal to TLS maximum version.'),
+ $this->tls_max_version->getInternalXMLTagName()
+ ));
+ }
+ }
+
+ return $messages;
+ }
}
diff --git a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
index fba239000..7cda2110c 100644
--- a/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
+++ b/net/freeradius/src/opnsense/mvc/app/models/OPNsense/Freeradius/Eap.xml
@@ -1,7 +1,7 @@
//OPNsense/freeradius/eap
EAP configuration
- 1.9.17
+ 1.9.18
md5
@@ -65,5 +65,16 @@
1.3
+
+ 1.3
+ Y
+ N
+
+ 1.0
+ 1.1
+ 1.2
+ 1.3
+
+
diff --git a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
index 652bebc8e..e43e15708 100644
--- a/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
+++ b/net/freeradius/src/opnsense/service/templates/OPNsense/Freeradius/mods-enabled-eap
@@ -456,7 +456,7 @@ eap {
# The values must be in quotes.
#
tls_min_version = "{{ OPNsense.freeradius.eap.tls_min_version }}"
- tls_max_version = "1.3"
+ tls_max_version = "{{ OPNsense.freeradius.eap.tls_max_version }}"
# Elliptical cryptography configuration
#